Hundreds of thousands of U were stolen, revealing the whole process of a new asset fraud targeting TG Bot players

Odaily资深作者

2024-07-24 04:00

This article is about 987 words, reading the full article takes about 2 minutes

The attackers took advantage of the fact that people would trust monitoring robots and spread their phishing links.

Original author: Box | 826.eth (X: @BoxMrChen )

Recently, more and more friends have come to me to tell me that their private keys have been stolen for no apparent reason. To be honest, I don’t believe it. However, after many investigations, we found that they actually have a very obvious characteristic, that they are all local players. After investigation and summary, we finally summarized a complete process chain. I hope it can be of some inspiration to everyone.

1. Automatically cast the net

As Sol's ecosystem grows rapidly, there are now many automated monitoring robots that are very sophisticated and can obtain a large amount of information for analysis, and attackers are the first to take advantage of this.

Let's demonstrate this with an example.

Pay attention to the place marked by the red line, where a Telegram group appears. This happens to be the main entrance to the theft.

Sol's tokens are quite unique. By uploading Metadata, a lot of data can be automatically set, such as avatars, social links, etc.

It can be seen that the data here is exactly the data displayed by the monitoring robot. In other words, the attackers took advantage of the highly credible channel that everyone believes in, such as the monitoring robot , to spread their phishing links.

To trigger this kind of monitoring, you only need to set up some robots to pull the market. They only need to make the data look good, and many people will be easily fooled. Now proceed to the next step.

2. False Verification

If you accidentally click on this TG and want to enter these TG groups, congratulations, you are one step closer to being stolen. Thanks to TG's latest mini-program function, attackers have a perfect way to make fakes look real. When you enter these groups, you will see a verification request, which is very common because many TG groups have to prevent robots, so it is also a very credible requirement. When you click on it, you need to be careful.

At this time, he will use the TG applet to pop up a realistic TG login window. If you accidentally scan the code at this time, I'm sorry, your TG has been logged in and controlled by the attacker.

3. Record Scan

At this stage, the attacker will quickly scan your chat history and your various TG Bots. As we all know, the current TG Bots are basically naked, and the attacker can easily take your assets from your Bot. The target users they attack happen to be these local dog players, and the target users are clear. At this time, many high-value meme coins become the hacker's meal.

At this point, the attack is over. Why is this case worth talking about? Because many users can't even tell that it's a hacker attack. When they consult us, they won't provide any information about TG. They always believe that there is a computer Trojan or phishing link. The whole process seems very credible to ordinary users, from the credible monitoring bot to the credible TG verification, there is no suspicious operation in any part.